Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Model Assesses Readiness to Accept Outside Vulnerability Reports

HackerOne released a free model that assesses an organization’s readiness to accept outside vulnerability reports.

The proliferation of independent and vendor-sponsored bug bounties has not only put some money in researchers’ pockets, but has also forced enterprises—and software makers—to put processes in place to handle outside bug reports.

“Saying you want one is not enough,” said Katie Moussouris, chief policy officer at bug bounty platform provider HackerOne. “CSOs need to figure out if they’re prepared to receive vulnerability reports from the outside.”

HackerOne today launched its Vulnerability Coordination Maturity Model, a free online assessment that organizations can use to determine where shortcomings may exist in areas such as executive support, communicating with customers and the industry, and incentives, before turning to established ISO standards, for example, that help handle bugs from an root-cause analysis and engineering standpoint.

The Vulnerability Coordination Maturity Model is a free five-minute survey tool that walks you through five top-level capabilities and three maturity levels within each capability that should be in place for a vulnerability program to succeed. The survey determines an organization’s readiness and produces a report that benchmarks where a company stands at a point in time and how it measures up to other organizations. CSOs, for example, can take the report results and figure out how to best funnel resources and new investments.

“You can actually get a lot mileage in these capability areas even if you are a small developer shop,” Moussouris said. “Deciding you’re going to respond to vulnerability reports and having a process to deal with them, you can do that with a single developer. Getting into advanced levels in analysis and engineering requires advanced resources. If you’re going to have a program in place to accept and fix vulnerabilities, you should be able to fold in the resources you need.”

Each capability that is assessed in the model returns a determination of whether an organization is at a basic, advanced or expert level. For example, the section that asks about organizational support puts companies with executive support and a commitment to security as a core value at a basic level. More advanced companies have a policy and process in place for addressing vulnerabilities that align with an established standard such as ISO 29147 or ISO 30111. Expert-level companies have not only expert support and budgeting in place, but also dedicated analysts who handle vulnerability reports. Similar assessments are made for each capability:

Top-level engineering processes should include dedicated bug-tracking and the use of root-cause analysis to eliminate classes of vulnerabilities.

Expert-level analytics track real-time telemetry of public exploits and help establish remediation and feed data back into a software development lifecycle.

Structured information-sharing and appropriate messaging for the research community, business partners, customers and the media are top-level communications attributes

Finally, the model assesses where a company is with incentives; stronger programs structure incentives that disrupt vulnerability markets and go beyond financial rewards or bug bounties for critical vulnerabilities. Part of the incentive model, Moussouris said, is an assurance that an organization will not take legal action against a researcher reporting serious vulnerabilities.

“If you have not figured out how to accept reports from customers or hackers or partners, you have not thought it through, and you’re not thinking about security end to end,” Moussouris said.

HackerOne shared an early preview of the model to a few organizations, including the Food and Drug Administration, Moussouris said.

“They looked at how medical device and health care companies get started with vulnerability coordination. This software affects lives,” she said. “You have to be able to receive vulnerability reports to maintain public safety. They liked the simplicity of the model and ability to digest the data coming out of it. They were anxious to get started on incremental steps to take to get better.”

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.